[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [PATCH] tools/xenstore: domain can sometimes disappear when destroying connection

To: <xen-devel@xxxxxxxxxxxxxxxxxxxx>
From: Petre Eftime <epetre@xxxxxxxxxx>
Date: Mon, 26 Nov 2018 13:22:04 +0000
Cc: Ian Jackson <ian.jackson@xxxxxxxxxxxxx>, Wei Liu <wei.liu2@xxxxxxxxxx>, Amit Shah <aams@xxxxxxxxxx>, Petre Eftime <epetre@xxxxxxxxxx>, David Woodhouse <dwmw@xxxxxxxxxx>
Delivery-date: Mon, 26 Nov 2018 13:22:48 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

There is a circular link formed between domain and a connection. In certain
circustances, when conn is freed, domain is also freed, which leads to use
after free when trying to set the conn field in domain to null.

Signed-off-by: Petre Eftime <epetre@xxxxxxxxxx>
---
 tools/xenstore/xenstored_domain.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/tools/xenstore/xenstored_domain.c 
b/tools/xenstore/xenstored_domain.c
index fa6655033a..f085d40476 100644
--- a/tools/xenstore/xenstored_domain.c
+++ b/tools/xenstore/xenstored_domain.c
@@ -222,6 +222,7 @@ static void domain_cleanup(void)
 {
        xc_dominfo_t dominfo;
        struct domain *domain;
+       struct connection *tmp_conn;
        int notify = 0;
 
  again:
@@ -238,8 +239,14 @@ static void domain_cleanup(void)
                                continue;
                }
                if (domain->conn) {
-                       talloc_unlink(talloc_autofree_context(), domain->conn);
+                       /*
+                        * In certain circumstances conn owns domain and
+                        * domain will be freed when conn is unlinked.
+                        */
+                       tmp_conn = domain->conn;
                        domain->conn = NULL;
+
+                       talloc_unlink(talloc_autofree_context(), tmp_conn);
                        notify = 0; /* destroy_domain() fires the watch */
                        goto again;
                }
-- 
2.16.5




Amazon Development Center (Romania) S.R.L. registered office: 27A Sf. Lazar 
Street, UBC5, floor 2, Iasi, Iasi County, 700045, Romania. Registered in 
Romania. Registration number J22/2621/2005.


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

Follow-Ups:
- Re: [Xen-devel] [PATCH] tools/xenstore: domain can sometimes disappear when destroying connection
  - From: Wei Liu
- Re: [Xen-devel] [PATCH] tools/xenstore: domain can sometimes disappear when destroying connection
  - From: Wei Liu

Prev by Date: Re: [Xen-devel] [PATCH 3/4] xen/arch: Switch local_irq_save() to being a static inline helper
Next by Date: Re: [Xen-devel] [PATCH 4/4] xen/arch: Switch local_irq_restore() to being a static inline helper
Previous by thread: [Xen-devel] x86_emulator distclean failing
Next by thread: Re: [Xen-devel] [PATCH] tools/xenstore: domain can sometimes disappear when destroying connection
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.